The Information Commissioner's Office (ICO) criticised Bradford-based Vanquis Bank for relying on consents it had obtained from third parties.
"Vanquis Bank obtained the marketing lists used to send the messages from other organisations," the ICO said in a statement. "It relied on indirect consent rather than checking itself that the correct level of consent had been obtained. The consent included non-specific, general wording, such as ‘trusted parties’ and ‘carefully selected third parties’."
The watchdog fined Vanquis Bank (17-page / 2.73MB PDF) after finding it responsible for a serious breach of the UK's Privacy and Electronic Communications Regulations (PECR). The company sent 870,849 spam text messages and 620,000 spam emails, the ICO said.
The ICO separately issued the firm with an enforcement notice (8-page / 1.2MB PDF) which outlines conditions that Vanquis Bank must follow when engaging in direct marketing activities in future.
The action taken by the ICO follows another case earlier this year in which the watchdog fined lender Provident Personal Credit £80,000 over failings in the company's affiliate marketing arrangements.
In separate enforcement action announced on Tuesday, the ICO fined advertising company Xerpla £50,000 (14-page / 2.11MB PDF) for breaching PECR.
Xerpla "sent nearly 1.26 million spam emails promoting products and services as far ranging as dog food, wine, competitions and boilers on behalf of other firms" but did not the "right consent" from the people who received the messages, the ICO said.
Head of enforcement at the ICO, Steve Eckersley, said: "There are rules in place to protect people from the irritation, and in some cases anxiety and distress, spam texts and emails cause. People need to be properly informed about what they are consenting to. Telling them their details could be passed to ‘similar organisations’ or ‘selected third parties’ cannot be relied upon as specific consent."
"People were so exasperated by these messages that they complained to us. That sparked two ICO investigations and enabled us to take action and hold the firms behind this nuisance to account. These firms should have taken responsibility for ensuring they had obtained clear and specific consent for the sending of the messages. They didn’t and that is unacceptable," he said.